January 31, 2005
How big is Microsoft?
Big. Really big. Really, really big. As this AP story makes clear:
Personal income, boosted by a large dividend payment from computer software giant Microsoft Corp., shot up by a record 3.7 percent in December. That helped to boost consumer spending during the all-important holiday season by 0.8 percent.
The Commerce Department reported Monday that the income gain would have been a smaller 0.6 percent in December without the one-time $3 per share dividend payment Microsoft made on Dec. 2. Even that reduced figure would have been an improvement over the 0.4 percent rise in personal incomes in November.
While it is highly unusual for a dividend payment from a single company to have such a major impact on incomes, Microsoft is one of the most widely held stocks in America. The size of the payment — $32 billion — rivaled the $38 billion the government paid out in federal income tax rebates in the summer of 2001.
Yow.
(Thanks to Jesse at Pandagon for pointing out this story.)
The impact of antitrust on Microsoft
An interesting tidbit in this eWeek story about Microsoft’s decision not to bundle desktop search with Windows:
Speaking on a panel on search technology at the Harvard Business School's Cyberposium, Mark Kroese, general manager of information services and merchant platform product marketing for MSN, said the federal antitrust battle Microsoft waged with the government has made the company think twice about what technologies it can add to the operating system.
"Working at Microsoft today vs. five years ago is different," Kroese said. "If anyone thinks the antitrust case hasn't slowed us down, you're wrong. If I want to meet with a products manager for Windows there needs to be three lawyers in the room. We have to be so careful, we err on the side of caution. We are on such a fine line of conduct."
Is that a good thing? You tell me…
Bold proposal, bad idea
Jake Wilcox has posted what he calls A Bold Proposal: Microsoft should release Windows 98 as freeware. He’s getting lots of publicity after asking Robert Scoble to jump on the bandwagon.
My opinion? This is a terrible, terrible idea. Windows 98 was a worthwhile operating system in its day, but encouraging people to use it today is just wrong. It’s built on an unreliable kernel (remember system resources, anyone?). It is woefully lacking in modern security features. It is incompatible with a large number of new applications.
Windows XP was a watershed. It represented a break with the old 9X code base and a move to the reliable NT kernel. As Service Pack 2 has proved, you can make this operating system extremely secure (and yes, there’s still plenty more work to do). I understand why people continue to use Windows 98, but why should anyone encourage more people to use an obsolete, insecure operating system that falls short of modern standards of reliability and security even after being extensively customized?
Jake, if you want to make a bold proposal, how about encouraging Microsoft to lower the cost of upgrading those old computers to Windows XP? What if the upgrade cost $49 instead of $99 for Windows XP Home Edition? What if Microsoft took the “lite” Windows XP Starter Edition it now sells in Thailand, Malaysia, and Indonesia and released a $29 version for domestic consumption? Even on a seven-year-old computer, I could probably make XP work. It might need a little extra memory and some judicious tweaking, but it would work. And it would be safer and more reliable than an old, unpatched copy of Windows 98.
January 30, 2005
Is that Internet Explorer add-on safe?
Internet Explorer supports all sorts of add-ons and extensions. The most popular are Browser Helper Objects (BHOs), browser extensions, and toolbars. If you run Windows XP Service Pack 2, you can view a list of all installed add-ons by choosing Tools, Manage Add-ons. From this dialog box you can enable, disable, or update anything on the list.
So how do you tell which add-ons are good and which ones are evil? Start at the CastleCops Master BHO and Toolbar List. The list is currently at 1609 entries and does an excellent job of sorting the good, the bad, and the ugly.
January 29, 2005
Help me clean up sleazy ads (again)
In the comments to another post, a new visitor named Spider writes:
While here reading you good information about spyware, protection, and the need for running several products, I was not sure if I should be amused or upset that your google ad's linked me to five sites that wanted to sell me spyware removal software that are all contained on [the Rogue Anti-Spyware list] at Spyware Warrior's site. Ironically it was Spyware Warriors blog that led me to this page.
I wrote about this last September, shortly after I added Google ads to this site, in a post entitled Help me clean up sleazy ads. Since that time, I have blocked 42 URLs from the list of sites that I will allow to advertise here. Unfortunately, it’s a never-ending battle, because these people continually register new domains and change the names of their products to work around filters.
Most of the ads that appear here are legitimate and useful. Unfortunately, a handful of keywords have been taken over by companies that are less than honest. That’s a big problem when I write about the MP3 format as well, with ads suddenly appearing that offer unlimited downloads of music and movies but are actually links to suspect software and untrustworthy file-sharing networks.
The problem is not unique to this site. In fact, anyone who searches for anti-spyware software or MP3s or song lyrics is almost certain to run into this problem head-on. I’m considering adding a disclaimer above the ad strip with advice on how to avoid being scammed by these sleaze artists. If anyone has any additional suggestions, please leave them in the comments section here.
Update: Eric L. Howes has an excellent, concise description of the Google problem here. He also links to an ad-filter list at the Short-Media Forums. I’ve incorporated that filter list into this site.
January 28, 2005
X10 interface for Windows Media Center
MCESoft links to the new MyHome plug-in, which allows you to control an X10 home automation system via a PC running Windows Media Center Edition 2005:
MyHome for Media Center is a plug-in to control your X10 home automation system. At this time it's programmed to work with the PowerLinc II Serial/TW523 X10 Interface, a serial to X10 converter, but it may be revised to be modulair and support other hardware drivers if there is enough interest for it. There is no configuration needed for the plug-in to work, the COM ports are scanned and a connection to the X10 Interface is set up automaticly.
I’ve been meaning to look into adding X10 components to my home for a while, but never got around to it. I suspect one reason is the horrible reputation the company got for being … well, let’s call them a pioneer in the field of pop-up advertising on the Internet.
But the technology is really cool, even if their advertising is terrible.
Cover your tracks in Firefox
For at least the last five years, I’ve recommended a program called PurgeIE as a way to clean up traces that Internet Explorer leaves behind. Recently, I heard from Jim Lawler, the program’s developer, that he’s released a Firefox-compatible alternative called PurgeFox. I’ve put the program through its paces over the past month or so and recommend it highly.
If you’ve ever used PurgeIE, the PurgeFox interface will be familiar. It doesn’t work as a Firefox plug-in but rather runs as a stand-alone program.
[Click to see larger image]
By selecting check boxes on the Purge Options dialog box, you decide what you want to eliminate. You can wipe out some or all of the following Firefox elements: the browser cache, cookies, history file, and forms history. The program also gives you the option to erase the contents of various locations that aren’t directly related to Firefox, like temp folders, the Windows file history, the Recycle Bin, and the Clipboard.
The program’s biggest strength is as a cookie manager. Like PurgeIE, it gives you the option to designate specific cookies as protected, a setting that it saves in its configuration files. As you go through the list, you can see the exact contents of each cookie and decide for yourself whether to keep it or purge it. This setting is maintained in addition to the Firefox Allow/Block settings. When you run the Purge button, the program zaps all cookies except those marked as Protected.
[Click to see larger image]
PurgeFox has one thoughtful feature designed to keep you from inadvertently deleting more than you intended. After you select a group of settings, click the Preview button to open a window that shows you exactly what will happen if you use those settings. If you’re satisfied with the results, click the Purge button to do the job. For the sake of convenience, you can also save different groups of settings to run on startup and on shutdown, and in response to a Purge Now button that lives on your desktop or on the Start menu. That’s handy if you want to routinely clean out certain settings without having to select options all over again.
Most of the features that PurgeFox performs can be done manually, if you know where to look in the Firefox Options dialog box and in various Windows dialog boxes. Besides being more convenient, this program adds a “secure erase” option, which makes it more difficult for someone to recover files you thought you had deleted. It also supports plug-ins that extend its functionality to other programs, including Adobe Acrobat, the Google toolbar, WinZip, and other elements of the Windows interface, including the Run box and the search history.
The program runs on Windows XP, 2000, and 2003. It also runs on older versions, including Windows 98, Windows Me, and NT 4.0. If you’re a privacy fanatic and you use Firefox, this is well worth the $21.95 license fee. If you already own PurgeIE or PurgeIE Pro, you can get a PurgeFox license for $11. Not sure? Try it out for 15 days.
Category-specific RSS feeds
As an experiment, I’ve created two new RSS feeds for this site. The main feed includes every post. The two new feeds provide only posts that are in the Security or Windows Media Center Edition categories. Both feeds are RSS 2.0 with full content.
If anyone finds a problem with either of these feeds, let me know in the comments.
January 27, 2005
ATI's new TV tuner board
Microsoft’s Sean Alexander may have moved over to the Longhorn group (congrats, Sean!) and off the Media Center team, but he’s still posting good stuff at Addicted to Digital Media:
ATI's new Home Theater 550 Pro-based ATI TV Wonder Elite TV Tuner board was just released and started shipping to retailers today. I just got my hands on a board and have personally seen the quality of this standard-def tuner beat that of an upsampled signal on a high end HDTV set from a major manufacturer. That's saying a LOT. Thanks to the 3D comb filter, you don't get the "jitter effect" you normally see on overlayed graphics such as a CNN or NBC logo or sports scorebox. I cannot wait to put this board through it's paces personally on my MCE box this weekend.
The Imaging Science Foundation (ISF) has certified this board as meeting or exceeding specifications for high-end consumer AV electronics.
If what I've seen hold true, this board significantly raises the bar for other PC-based TV tuner manufacturers. I know ATI has been investing heavily to develop this card to exacting quality.
I used the previous generation of ATI’s All-in-Wonder cards (I still own two, in fact). They were OK for their time, but once you experience hardware decoding you can’t go back to slow, crash-prone, software-based decoders like the AIW series. Lately I’ve been working with Hauppauge’s Win TV-PVR series of boards. The most recent addition is the dual-tuner WinTV-PVR-500MCE, which is now in full service here. Every Hauppauge board has performed exceptionally well, and this one is no exception. I’ll have more to say about it later. Meanwhile, I’m eager to try the new ATI board.
January 26, 2005
New version of Microsoft Baseline Security Analyzer is out
If you’ve never used the Microsoft Baseline Security Analyzer, this might be a good time to give it a try. Version 1.2.1 is now available for download here. The documentation is intimidating (and the accompanying FAQ is only a little less so), but the application itself is pretty straightforward. It scans every version of Windows 2000, Windows XP, and Windows 2003 (sorry, not Windows 9X/Me), and also looks for security problems in Microsoft client and server programs, including Windows Media Player, Internet Explorer, Exchange Server, and IIS. You can also scan multiple computers over a network. It does a much more thorough job than Windows Update — instead of just looking for patches, it also examines your system configuration for common security weaknesses, such as easy-to-crack weak passwords or too many file shares.
Highly recommended for anyone who is serious about Windows Security.
Images from New Mexico
New Mexico is one of my favorite places on earth, and Philip Greenspun’s Photographer's Guide to New Mexico has the pictures to prove it.
I just had to share…
Microsoft to expand Genuine Advantage program
This story in today’s Washington Post is confusing:
Microsoft to Launch Anti-Piracy Initiative:
Microsoft Corp. will combat piracy of its flagship operating system by requiring Windows users to verify that their copy of the software is genuine in order to receive timely updates and security fixes, the world's largest software maker said on Wednesday.
Under a new verification program, users will have to prove their copy was obtained legitimately to receive "greater reliability, faster access to updates, and richer user experiences" from Windows XP, the latest version of the operating system running on over 90 percent of the world's personal computers.
Users of pirated copies of Windows will still be able get some updates, such as security patches, but will not be able to get other add-ons for Windows, the Redmond, Washington-based company said in a statement.
The new initiative, called Windows Genuine Advantage, will start in mid-2005.
Microsoft said it will expand in February a trial authentication program it began last fall for English-language users to include 20 more languages. In order to attract more users to the trial, Microsoft is also offering downloads of add-on software and discounts on games and online services.
Authentication will become mandatory in mid-2005 for all users seeking to access software updates, downloads and security fixes for Windows, Microsoft said.
I’ve bold-faced the two most obvious contradictory statements in this report. Will users of unauthenticated copies still be able to get security updates or not? I’m still looking for the original source of this story.
I have no problem with a program that rewards people who have legitimate copies of Windows with add-ons, fun stuff, and even access to the library of signed, certified, updated drivers. But Windows security should not be tied to any anti-piracy efforts. One insecure copy of Windows affects the entire Internet ecosystem. If a patch is available to prevent that computer from becoming a vector for viruses, worms, and spam, then that patch should be freely available, with no restrictions of any kind.
Update: CNET News explains how it will work:
By the middle of this year, Microsoft will make the verification mandatory in all countries for both add-on features to Windows as well as for all OS updates, including security patches. Microsoft will continue to allow all people to get Windows updates by turning on the Automatic Update feature within Windows. By doing so, Microsoft hopes it has struck a balance between promoting security and ensuring that people buy genuine versions of Windows.
"We think that the best foundation for the most secure system is genuine software," said David Lazar, director of the Genuine Windows program at Microsoft. "We want to urge all of our customers to use genuine software. (At the same time), we want to make sure that we don't do anything to reduce the likelihood that a user will keep their system up to date."
OK, I can accept that. Automatic Updates provides a perfectly good mechanism to deliver all Critical Updates and security patches. And most updates are still available for manual download from Microsoft’s FTP servers. Someone using a pirated copy won’t have the option to use the Windows Update site, but they won’t be blocked from installing security patches. That’s fine.
Another update: The press release announcing this change is now up on Microsoft’s site. Here’s a key excerpt:
Microsoft to Implement Worldwide Anti-Piracy Initiative
In the second half of 2005, visitors to the Microsoft Download Center and Windows Update will be required to participate in Windows Genuine Advantage to access all content. To help customers who may require more time to move to genuine Windows software, Microsoft is offering security updates through Automatic Updates in Windows, with or without Windows Genuine Advantage validation.
I really don’t like the sound of that last sentence, which implies that access to Automatic Updates may be cut off in the future for people who are unwilling or unable to prove that their copy of Windows is “genuine.”
January 25, 2005
Why PowerPoint and IM programs don't mix
(Via Mitch Ratcliffe)
Ten things you need to know about spyware
Update: I've made some small but significant changes to this list based on excellent feedback from the anti-spyware community. I've also published a second installment in this series. See "Six steps you can take to block unwanted software."
Carl Siechert and I are currently working on an update to our 2002 book Windows Security Inside Out. It’s been only a little over two years, but a lot has changed in the computer security landscape during that time. So much, in fact, that the update is much more extensive than we originally envisioned.
The biggest change, in my opinion, is the explosive growth in what’s commonly called spyware. We spent about four paragraphs on the topic in the first edition, basically telling readers to install a firewall and use Ad-Aware. In this edition, we’re devoting an entire chapter to spyware, and we’ll have significant coverage of related topics in at least four other chapters.
One frustrating aspect of the whole spyware topic is the extraordinary amount of misinformation floating around about what spyware is, how it gets on your computer, and how you can protect yourself most effectively from being a victim. To organize my thinking, I’ve put together the following list of ten essential facts about spyware. This list forms the basis of the spyware coverage in the new edition. I recognize that some of these statements may be controversial, and I’m open to alternative points of view. (If you want to reply, add a comment or create your own blog entry and send me a trackback.)
The list begins after the jump.
- There is no general agreement on what spyware is. Google offers these five definitions. Most of them focus on the classic definition of programs that “monitor your actions” and “gather information without your knowledge.” The term spyware is routinely conflated with adware, which refers to a broad category of software that is supported by advertising. In reality, people begin to care about spyware when it starts to have a negative effect on their computer’s performance and they can’t get rid of it. My definition of spyware is: “Any program that is installed without the user’s full and informed consent, often through deceptive means, and that displays advertising, records personal information, or changes a PC’s configuration without the user’s explicit permission.”
- Any decision to classify a program as spyware will, by definition, be subjective. Not to mention controversial. Some software programs are universally considered to be spyware, but others aren’t so easy to classify. What happens when I think a program is perfectly innocent and you think it should be banned or blocked? Who decides which definition prevails? Any anti-spyware solution should include a way of classifying possible threats on a scale, so that the user can decide which ones to pay attention to and which ones to ignore.
- Cookies are not spyware. I’ve written plenty about this before (see here, here, here, and here). I’ve published easy-to-follow instructions to give you complete control over cookies, using nothing but the basic features in your favorite browser, if that’s what you prefer. If someone wants to add cookie-control features to a security suite that also includes anti-spyware features, fine, but don’t mix them together.
- If you have to scan your system for spyware and remove unwanted programs every week, you’re doing something wrong. My antivirus software is configured to scan my whole system weekly. It never finds anything, because it does such a good job of blocking infected attachments, hostile Web scripts, network worms, and so on. Running a weekly scan is probably not a bad idea, from a belt-and-suspenders point of view. But it shouldn’t be necessary, because …
- The whole point of anti-spyware software should be to prevent unwanted programs from being installed. The two most popular anti-spyware programs in recent years, Spybot S&D and Ad-Aware, started out as scan-and-remove utilities. You get infested with a piece of scumware, and then you run one of these programs to knock it out. Wouldn’t it be better if the unwanted software never got installed in the first place? That’s the point behind the Resident TeaTimer feature in Spybot 1.3 and the real-time protection features in Microsoft AntiSpyware.
- There is such a thing as high-risk behavior. Recently, I was accused of “blaming the user” for writing that the spyware epidemic can be traced, at least in part, to users “running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything…” Let’s acknowledge that the purveyors of spyware do everything they can to mislead users into making incorrect decisions, and that the architecture of Windows, especially in older versions, makes their job easy. Does that let the user completely off the hook? I don’t think so. If you regularly download files from unknown sources over peer-to-peer networks or browse adult-oriented Web sites, you are at far greater risk of getting zapped by unwanted software. The risk increases dramatically if you aren’t diligent about installing security patches and Critical Updates. If you’re going to visit dangerous neighborhoods, it makes sense to pay extra attention to your surroundings so you don’t get mugged.
- Be suspicious, but don’t be paranoid. A little healthy skepticism goes a long way toward keeping you secure. If you let your suspicions take over completely, you’ll find that the Internet is almost unusable. A completely locked-down workstation might be appropriate in a bank or at the CIA, but it’s overkill at home.
- If you’re not sure whether to install a program, don’t install it. I’ve written previously about my two-week rule: “ I won’t install a new program until I’ve had at least two weeks to check it for known problems, unfortunate interactions with other programs, and unwanted behavior. Every Windows user has at least one horror story about installing a program that caused so many problems the only cure was a complete reinstall. Most such problems (including spyware-related issues) are well documented; you’ll save yourself a lot of grief if you do your research before you click the Install button.
- If you get a piece of spyware on your system, you’re in trouble. The most insidious forms of spyware burrow into well-hidden corners of the file system and the Registry and immediately begin downloading additional components. Even if you succeed at removing the parts that cause pop-up ads and general system slow-downs, can you really be certain you got rid of every trace of the offending program? It’s far, far better to prevent the infestation in the first place, if possible.
- One anti-spyware program should be enough. I regularly read advice from spyware experts who recommend that you scan your system with two (or more) programs, because each program they tested has a different set of strengths and weaknesses. I disagree. For everyday use, pick an anti-spyware program that does the best job possible of preventing unwanted software from getting on your system in the first place. If, despite your best efforts, you find yourself needing to remove an unwanted program, use whatever tools it takes. If your preferred tool can’t get rid of the pest, go ahead and use a second or third scanner. And then, after you get rid of it, figure out how you can prevent the same thing from happening again.
Update: Interesting feedback so far from Eric L. Howes (in the comments section), from Michael Pollitt, and from Suzi at Spyware Warrior. Keep it coming, please!
Windows without the Media Player
After arguing for years that Windows Media Player was inextricably linked with the operating system, Microsoft is about to release a version of Windows without Media Player:
Microsoft is giving European computer manufacturers the choice of buying Windows with or without the company's favored Windows Media Player, which lets computer users listen to music and watch videos. Both versions of Windows will be offered for the same price, and the company said they will be available through retail channels, but only in European outlets.
Why only in Europe? Because that’s where the courts ruled that bundling Media Player with Windows was an antitrust violation.
I’ll be curious to see whether Windows Reduced Media Edition (makes it sound appealing, eh?) actually sells many copies. The price is exactly the same, so computer makers have no incentive to sell a version of Windows without a media player — all they get in return is increased tech support headaches. The only way this could take off would be if a competitor with a major media player (iTunes or RealPlayer, for instance) can convince a computer manufacturer to give it an exclusive deal on all new computers.
A literary success story
Every author dreams of something like this:
A few months ago, 28-year-old Dean Carter was a small cog in a very big machine. Hidden away in the basement at the grand old publisher Random House, he spent his days sorting mail sent by fans to such eminent writers A S Byatt and Tom Wolfe.
Now, after a series of lucky encounters, he is the recipient of a five-figure, two-book deal, has senior publishers saving his emails as collectors' items and could soon be considering film deals from the likes of Brad Pitt and Robert De Niro.
And believe it or not, he still works in the mail room.
(Via The Elegant Variation by way of Ezra Klein)
When translation robots attack!
My publishers regularly send me copies of my books that have been translated into foreign languages, and it’s always amusing to see my by-line on a book written in a language like Thai or Romanian. But I’m not used to seeing my words translated on the Web, as in this curious link in my referrers’ log: La Culture De Fraude.
Someone did a search on Google, found a page from my site that sounded interesting, and used the language tools to translate my words into (very rough) French. Something tells me that anyone who follows any advice on this page is doomed. Just for fun, I used Google’s language tools to translate a paragraph from the translated page back into English:
The problem is that the basic infrastructure of the Internet supposes that each one on top should be done confidence. Consequently, technical measurements conceived to block hostile software, the Spam, and any other refuse must be grafted above jusqu with the top of the existing systems, rather than to be built-in as an element of the base. The more these filters function, the more the bad more persistent types become in the test to work around them, and more it seems that us are completely surrounded. A blowing simple inondator out of 10 million messages per day by hundreds of diverted computers resembles an army, even when it is really right an alive loser pathetic in park of bottom of page.
Hmmm. I don’t remember saying that. (If you want to compare the original, you can read it here.)
January 24, 2005
Eavesdropping on an MCE support call
First, Thomas Hawk posts a long entry about his MCE Television and LaCie Big Disk Problems:
Well this weekend I attempted to rehook a television signal back into my MCE machine and I was reminded that television indeed may be the biggest thing still holding Media Center back. The issue really boils down to two things. 1. Really poor television quality and 2. Incredibly complex set up.
He did what you’re supposed to do when you’re asking for help, which is to provide all the details a support professional would need. And lo and behold, he gets some serious help from Microsoft’s Charlie Owen and Matt Goyer. Which is like taking your car in to the local dealer because it’s got a rattle and discovering that the factory’s top engineers are hanging around the shop that day. It’s very cool to get such top-level support and to know that your issues are certainly going to get fixed in the next release of MCE!
The more I read about Thomas’s system, the more I think he has a driver problem of some sort. He says, “I have always been disappointed with these USB 2 external drives. The Maxtors frequently give me I/O device errors when I try and copy large batches of .mp3 files, but this performance from LaCie is the worst yet.” And previously he’s described problems with file transfer operations taking inordinate amounts of time or failing completely.
This sounds very familiar. On a PC I used about two years ago, I had constant disk I/O problems. Those turned out to be related to a faulty audio driver of all things — it was conflicting with a disk controller driver and causing all sorts of havoc. When I updated both drivers, the problem went away. I currently have four or five external USB 2.0 drives, all running flawlessly. I never get I/O errors and I copy files at full rated speed all the time, moving lots of files (my music collection) and small numbers of really big files (recorded video) without any errors.
Thomas’s other issue is video quality:
Now maybe I'm just incredibly spoiled and forgot how bad MCE television quality is after spending the last few months watching all of my high def television on my DirecTV TiVo. On the other hand, I'm pretty sure that there is more to it than this. One of the things that has perplexed me with MCE from day one is that there is a huge amount of signal degradation. … A while back someone once suggested to me that the compression technology that MCE uses is inferior to the TiVo compression technology which was the reason why it looks so bad.
My experience is exactly the opposite. I have had a Series 1 TiVo for years, and when I switched to the MCE machine for SD recordings I was shocked by the improvement in quality. No, it doesn’t compare to the HDTV pictures I get from the cable box, but I really don’t see any degradation, and we’re able to watch SD programming without any complaints about picture quality. Drivers? Hardware? Or something else?
Overall, I think Thomas has nailed one of the major issues with this technology: For the mass market to accept Media Center PCs, they have to work like appliances. TiVo boxes meet that standard because they’re designed that way. An MCE box is designed to be expandable and extensible, which sounds great but also introduces the possibility that you’ll start fiddling around with an interesting utility, a flaky add-on, or a buggy driver and end up with a machine that crashes or exhibits odd behavior. Not an appliance, by any means.
What I’d like to see in a Media Center PC is an even more robust System Restore, with the ability to capture snapshots of the system and roll things back in the event something starts to misbehave. Windows XP has that feature now, but it takes expertise to work with it. A device that’s supposed to behave like an appliance should be capable of rolling back to a known good configuration without any muss or fuss.
Technical problems resolved
Some sort of routing problem in the Great Lakes area (weather-related, no doubt) made it impossible for me to post last Friday. Rather than fight it, I decided to take the weekend off and watch some football.
Posting will resume shortly. I’ve got some good stuff saved up.
January 21, 2005
Would you subscribe to this site via e-mail?
I know some people prefer e-mail to RSS. So, two quick questions:
- If I made a weekly digest version of this site available via e-mail, would you subscribe?
- If I posted a Windows/PC tip of the day/week/whatever. would you want the option to receive it via e-mail?
Of course, your e-mail addresses would remain completely private forever and would never be used for any purpose other than the explicit ones you signed up for. I’m not interested in creating an e-mail newsletter empire or building a mailing list. I just want to offer you different options.
Voice your opinion in the comments section of this post, or click here to send me a note.
January 20, 2005
I remember Bob
The pictures of Chairman Bill were a huge hit, so I thought I would follow them up with this video tour of the legendary Microsoft Bob (clip circa March 2001, via The Screen Savers). I once had a copy of the software, but alas it has been lost to the ages, and all that survives in my office is this semi-priceless baseball hat, somewhat dusty and never worn, with the Bob logo:
(Props to Slate editor-at-large Jack Shafer for the link.)
January 19, 2005
What's the point of digital media?
In the comments to my previous post on ripping a CD collection into digital format, Ken asks some good questions:
Ed, educate me. I use my home computer primarily for e-mail, Internet browsing and research, word processing, the occasional PC game, and CD burning -- but not CD ripping for the purpose of listening to music or watching DVDs on my computer (after all, I have a plasma HD television and top line DVD player, excellent stereo equipment in both my house and my car, et. cet. specifically designed for those activities). What, then, is the point of ripping CDs and saving them onto hard drives, other than having one additional copy of all your files in case something happens to your CD collection?
I know people do it, but I have never understood why. Even if I downloaded music from the Interent, I would rather burn it to a CD and then play it on equipment designed primarily to play music or video. What am I missing out on, if anything? TIA.
Let’s start with what I think is the single fundamental (but perfectly natural) misconception in this question, that PC-based equipment is inferior to dedicated audio and video equipment. That was once true, but no more. Today, PC-based equipment can do many of the tasks I once needed dedicated audio equipment for, and it integrates well with home theater components. The quality of audio and video is at the same level of quality as (and in some cases better than) consumer electronics equipment.
My home theater PC outputs 7.1 surround sound via a digital optical connection. In an A-B test, I don’t believe you could distinguish it from consumer-quality audio equipment. It uses component video connections to go straight to my HDTV, again with quality that is indistinguishable from a consumer DVD player and my digital cable connection. (And when I get the HDTV connection working, I expect its quality to be indistinguishable from my cable company’s HDTV signal.) My home theater system now includes an HDTV, two receivers (one for the den, the other for the speakers scattered throughout the house), and a Media Center PC that handles music, standard TV, digital photos, and DVD playback.
With an 800–CD collection, the logistics of managing the CDs as physical objects becomes overwhelming. I had a 300–CD jukebox that was almost impossible to use and couldn’t handle the majority of my collection. The idea of dedicating 20 or 30 feet of shelf space to CDs and then keeping all those CDs filed in some logical way is depressing. And what do I do with my extensive collection of live recordings and downloaded music, which represent the equivalent of another 400+ CDs?
The advantage of having music available in digital format is that I can scroll through the entire collection using a single interface (Media Center) that runs via remote control. I can search for artists and albums, create custom playlists, retrieve saved playlists, and do it all without stacking up jewel boxes and trying to find just the right CD. When we have a dinner party, I can put together a custom playlist for the evening, mixing music that I know will be compatible with our guests. I never fail to get positive remarks on the music and I don’t have to constantly get up to swap CDs (even a 6–CD changer will run out in the course of a long evening).
We still watch DVDs that we rent from Netflix, but all of our TV watching these days is via a DVR — either the cable company’s HD recorder or my Media Center PC, and it is fun to be able to save a particularly enjoyable show and burn it to CD for later viewing. The output from the Media Center PC is indistinguishable from the digital cable signal.
Most people have justifiable skepticism about integrating a PC into the home theater. But when the equipment is well designed and reliable, the benefits are overwhelming. I think you’re going to see an explosion in this category in the next year or two. Just watch!
Thoughts on ripping a CD collection into digital format
John Walkenbach started with the idea of having a commercial service rip his CD collection for him but has since given up on that idea:
After doing some more research, I decided to abandon the idea of using a company to convert my CDs. As it turns out, the total number of CDs is closer to 1,000, and I failed to take shipping costs into account. All told, this project would cost about $1,000 -- definitely not worth it. Plus, the idea of removing all of those CDs from their jewel boxes, shipping them, and then returning them to the correct jewel box is not at all appealing.
Wise decision. Actually, I did a similar project last fall (800 CDs) and it took less than two weeks. I used Windows Media Player 10 and configured it to rip automatically as soon as it recognized a CD. (You can choose WMA or MP3 format in bit rates as high as 320MB.) It was able to identify and correctly tag well over 95% of the tracks, downloading the album art in the process, and each CD took no more than a couple minutes. Anything that wasn’t immediately recognized I put on a stack for later handling. I did a couple of marathon sessions over one weekend, doing a few hundred CDs each day as I watched baseball games and dumb movies that required little concentration. Mostly, though, I just got in the habit of keeping a stack of CDs by my desk. I’d stick a CD in and (ahem) let ’er rip. I didn’t really need to do much more than pop out the old CD and insert a new one, and I was able to continue working on other projects throughout. All in all, it turned out to be pretty simple.
The more tedious part came later, when I went in to review tags. There were a fair number of errors and omissions that I wanted to fix. I found the eMusic Tag Editor indispensable for this task.
If you plan to do a similar project, I recommend you get two external hard drives and keep a duplicate copy of your music collection on the second drive. Don’t believe me? Just imagine the feeling in the pit of your stomach if that first drive grinds to a halt someday and you have to go through the process of ripping and tagging all over again.
Update: Based on some interesting questions from Ken in the comments, I’ve posted some follow-up thoughts in a separate post: What’s the point of digital media?
Congratulations to 2005 MVPs
Microsoft has released its list of MVP Members. Lots of familiar names on the list, and they all deserve a hearty thanks for their efforts to help other people.
I wish Microsoft would make this list more useful, however. Two options come immediately to mind:
- Add direct links and links to RSS feeds for those MVPs who have Web sites or blogs. It would be really helpful.
- Add links to searches for newsgroup threads that include posts by each member. You can learn a lot that way. Here, for example, is a search that includes all threads in the Outlook Express group that include the name of MVP Tom Koch.
If you haven’t used the Web-based Expert Zone newsreader, by the way, you’re missing out.
January 18, 2005
Get your own biometric desktop
No, not bionic. Biometric. As in Microsoft’s Optical Desktop with Fingerprint Reader. Amazon is currently selling this package, which includes a keyboard and optical mouse, for $59 with free shipping. A $10 mail-in rebate brings the net price to $49. My co-author Carl Siechert tested this for a chapter in our upcoming revision to Windows Security Inside Out. It has some nice features, but I’d be more impressed if it could integrate with Roboform.
Anyway, if you’ve been lusting after one of these gadgets, this is about as good a price as you’ll get. Until someone comes out with a bargain-basement iris scanner, that is.
Regrettably, the floppy disk is not dead
I used to have boxes and boxes of floppy disks. Today, I think I have maybe a dozen disks in all, and I would have to do a pretty thorough search to find them all. For the most part, floppy disks are completely unnecessary. I can boot from a CD to accomplish most maintenance tasks. For simple point-to-point file-transfer operations (“sneakernet”), USB flash drives are much more effective. For archiving files, I use writable CDs or, increasingly, DVDs.
In fact, I’d gladly throw away those remaining floppy disks, except that Windows XP still uses them for two essential tasks:
- Creating a Password Reset disk. (If you don’t have one of these, you should. Open User Accounts in Control Panel and then click Prevent a forgotten password in the Related Tasks sidebar.)
- Supplying a system driver during Windows setup. I built a new PC last month with an SATA drive as its system drive, but my Windows XP setup disks didn’t include the proper drivers, and the only way to provide the driver is using a floppy disk. Because that new PC didn’t have a floppy drive, I had to create a custom Windows setup CD with the correct drivers.
Frankly, I’m amazed that both of these legacy operations are still hard-wired to accept only floppy disks as the target. Please, Microsoft, don’t let these restrictions survive in Longhorn!
Update: In the comments, Chris Hedlund mentions that he’s about to put together a similar system and wants to learn more about creating a custom Windows XP install disk that contains the SATA drivers. I did it, and it was surprisingly easy, although you might not think so when you first see the instructions!
Start with this thread from the TechIMO forums. Scroll about halfway down to the post entitled “Install SATA drivers without floppy disk.” Follow the instructions carefully, and be prepared to visit this page at the Elder Geek’s site for instructions. If your copy of Windows XP is pre-SP2, start at the beginning with the Elder Geek’s instructions for how to create a Slipstreamed Windows XP CD Using SP2. The Elder Geek has special instructions for extracting the necessary Microsoft Corporation image file, or you can download it from the link included in the TechIMO Forum post. It sounds daunting, but the actual process is not that bad.
Highways West
Ken Layne has a new Web site called Highways West. As longtime readers know, Judy and I live in Arizona and love it. One of our favorite animals, of course, is the roadrunner, aka the “Clown of the Desert.” Today, Ken published a profile of this amusing bird entitled “Huzzah for the Roadrunner!” and it inspired me to link to his site.
We see roadrunners in our neighborhood a couple times a year. We used to have one that lived in the desert near our back yard. He’d come around to visit (and kill snakes) every so often. One memorable morning, as I sat reading the newspaper and drinking coffee, I watched a roadrunner walk by, followed minutes later by a coyote. The moment would have been complete if an Acme anvil had fallen from the sky right then and there.
I snapped this shot of a roadrunner who used to jump on our roof and tramp around. He was especially scruffy.
If you plan to do any driving in the Southwest, the Rockies, or the West Coast, check out Highways West. It’s packed with fun, useful, offbeat information. The travel forums are new and look like they’ll be useful too.
Organize your photos with Picasa
If you have a digital camera, Picasa is worth a try. I used the software before Google bought the company and fell in love with its slick, simple interface. My favorite feature is the timeline view, which lets you scroll through your photo collection by the date the pictures were taken, ignoring folders and cryptic file names.
Recently, Google released a new version:
Picasa is software that helps you instantly find, edit and share all the pictures on your PC. Every time you open Picasa, it automatically locates all your pictures (even ones you forgot you had) and sorts them into visual albums organized by date with folder names you know. You can drag and drop to arrange your albums and make labels to create new groups. Picasa makes sure your pictures are always organized.
Picasa also makes advanced editing simple by putting one-click fixes and powerful effects at your fingertips. And Picasa makes it a snap to share your pictures – you can email, print at home, make gift CDs, instantly share via Hello™, and even put pictures on your own blog.
Danny Sullivan has an excellent review that compares Google Picasa 2 and Adobe Photoshop Album 2 at Search Engine Watch. I’ve got several thousand digital photos here. I really should get them organized one of these days!
January 17, 2005
Peter Near compares Media Center Extenders
I personally believe that the XBox is the perfect client for Windows XP Media Center Edition, and have been pushing for this option for years. I was ecstatic when I found out that the Extender for XBox was in development.
I’m now lucky enough to own both the HP x5400 and more recently Extender for XBox, and have spent some time comparing the two.
This is a very thorough review that should answer most of your questions if you’ve been thinking about integrating a Media Center PC into your home entertainment system. For what it’s worth, I have the Linksys extender, and it is identical in function to the HP model that Peter writes about. I highly recommend it.
If I were a billionaire...
… I would have bought the negatives for this photo shoot and burned them:
Reportedly, these were for a Teen Beat photo spread, 1983.
Update: J-Walk checked with Snopes, which has the actual provenance of these pics:
Verdict: Real photos; inaccurate description.
These images are actually publicity photos taken of the then 30-year-old Bill Gates coincident with the initial release of Microsoft Windows in 1985. The Corbis photo archive identifies their depiction thusly: "Bill Gates, CEO of Microsoft, reclines on his desk in his office soon after the release of Windows 1.0. 1985 Bellevue, Washington, USA."
(Via Boing Boing.)
Give your security feedback to Microsoft
Steve Lamb is lead Technical Security Advisor for Microsoft's ITPro community in the UK. He’s in Redmond this week and is soliciting feedback for Microsoft product groups.
I'm working with the product groups for the entire week and am keen to give your feedback regarding security functionality of our products(Windows, Office, Security Business Unit) to the management, technical and product leads.
So now's your opportunity to get your comments, frustrations and suggestions for improvements to those that can make a difference - I'll champion your cause providing the feedback is constructive :-)
If you’ve got something to say, go visit Steve’s blog and post your comments there.
January 15, 2005
MCE 2005 and HDTV
In a comment on a post about Longhorn, my buddy Michael writes:
I'm confused about one thing: [Paul Thurrott] has a lengthy discussion about Windows MCE 2005 and it's support for HDTV. But he has it as "already been released", but I thought it was still a few months away. (maybe he's talking beta release?)
Windows Media Center 2005 is out now. I’m running the official release. A few sites have recently posted details about a rumored upgrade this fall; as far as I know, that upgrade isn’t in beta yet. According to the rumors, HDTV support via Cable Card will be a feature in this upgrade.
MCE 2005 does indeed support over-the-air (OTA) HDTV. I have a Fusion HDTV card in my Media Center test computer. I hooked up a simple indoor antenna and I was able to watch broadcasts from one local station in HDTV. Unfortunately, I couldn’t get a reliable signal from any other stations, making the indoor antenna experiment a bust. I’m off to Radio Shack for a new antenna one of these days to see if it works any better, but it looks like an outdoor antenna is the best way to get access to OTA HDTV.
The Fusion card is QAM-compatible. I’ve done a fair amount of reading on the subject and in theory, it should be able to decode an unencrypted HDTV signal from my cable company. I don’t think that MCE 2005 supports QAM, however, only ATSC, and thus it can only tune OTA HDTV channels for now. I’m still trying to wrap my arms around how all this technology interacts. If anyone has any insights to offer, feel free to add them in the comments.
What happens when you don't understand technology
Every so often I wonder why our legal system thoroughly screws up any issue that involves technology. Then I read posts like this one, from attorney Martin Schwimmer at The Trademark Blog, and I start to understand.
It was brought to my attention that a website named Bloglines was reproducing the Trademark Blog, surrounding it with its own frame, stripping the page of my contact info. It identifies itself as a news aggregator. It is not authorized to reproduce my content nor to change the appearance of my pages, which it does. In response to my inquiry to Blogline's CEO as to whether they sell advertising, he indicated that they 'are not currently running advertising.' Nevertheless, the Blogline's home page currently is soliciting 'targeted advertisements.' I would also assume that Blogline is accumulating commercially-useful mailing lists (its privacy policy appears to allow it to sell information). The privacy policy also has a provision entitled 'mergers and acquisitions' clearly allowing it to sell its lists.
Thus, in my view, Bloglines' reproduction of my site is a commercial derivative work. Bloglines has agreed to remove my site from its service and I thank it in advance for its cooperation.
This is perhaps the stupidest thing I have ever heard. Schwimmer publishes an RSS feed. You can see it here. Go ahead and click the link and you can see it in your browser in a separate window. Note the complete absence of any formatting. This is how RSS feeds work. In fact, Bloglines is a news aggregator, and a really good one. An aggregator picks up the contents of a Web site from its RSS feed, minus any design elements and contact info, and displays it within the aggregator. (Mr. Schwimmer is going to be really, really shocked if he ever discovers how many people are reading his RSS feed in other news aggregators and are seeing exactly the same stripped-down display of content as Bloglines users.)
As of today, 71 people subscribe to this blog through Bloglines, and I thank every one of you. I even have a little button on my home page that allows Bloglines users to automatically add a subscription just by clicking. If you’re curious about how RSS works, this is an excellent way to get started.
(Via Scoble’s link blog.)
Update: Derek Slater, Harvard-based copyright wonk, tries to take Schwimmer’s complaint seriously:
One of the key issues seems to be what having an RSS feed implies others should be able to do with one's website. If Martin had no RSS feed and Bloglines was simply scraping the site, it seems people would feel very differently. But why must RSS make a difference in this case?
As I wrote in a comment at Derek’s site: Perhaps the difference is that Martin chose to publish a version of his own site, minus formatting and contact information, in the RSS format, which stands for Really Simple Syndication. The word syndication should be a tip-off that you want other people to make your content available. This is the usual and customary definition of RSS. To pretend otherwise is disingenuous, and if Schwimmer wants to change the commonly accepted definition of how RSS feeds are used, he really needs to start a larger argument, not throw a public hissy fit over a company using his RSS feed exactly as it was intended to be used.
Moral: If you don't want your site syndicated, don't publish in a syndication format.
Microsoft: OK, OK, we'll fix the Windows Media DRM flaw!
Chris Pirillo hears from Matt Calder at Microsoft with an official response to the DRM debacle:
While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers. To help mitigate these problems, Microsoft is committed to providing an update to Windows Media Player in the next 30 days that would allow the end user more control over when and how any pop ups display in the licensce acquisition process.
Chris recommends turning off the option to automatically acquire licenses for protected content. Sadly, that option has zero effect on this flaw. He also says, “ Don't throw the baby out with the bathwater; Windows Media is still a fantastic format.” I agree.
Update: I have re-read this comment a few times, and I’m not sure what it means. Yes, they’re apparently working on a patch. “Allow the end user more control over when and how any pop ups display”? If the patch doesn’t change the default behavior and prevent Windows Media Player from opening a Web page that can prompt the user to install software, it will be essentially useless.
January 14, 2005
Someone at Microsoft doesn't get it
According to a report at eWeek.com, Microsoft has no plans to fix a security flaw that affects Windows Media Player. (I’ve written extensively about this earlier; see this entry and the follow-ups here, here, and here.) This quote, if accurate, is wrong on many levels:
Microsoft officials stressed that the latest attack scenario does not exploit a vulnerability in the software.
"Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources," said Mike Coleman, lead product manager with Microsoft's Windows division.
"If strangers are trying to entice you to open a file, chances are they're setting you up for a bad experience. We need to continue our work on getting people to understand what's going on and get them to develop better download habits," Coleman told eWEEK.com.
Mr. Coleman doesn’t get it. In a narrow sense, it is true that this does not represent a vulnerability that can cause software to be automatically installed. However, there are at least two security issues that need to be addressed here:
-
Windows Media Player 9 is able to bypass crucial protective mechanisms in Service Pack 2 and display ActiveX download dialog boxes that force the user to make a decision about installing software. As Microsoft’s official white paper on changes to functionality in SP2 states: “Providing add-on install prompts in the Information Bar rather than a dialog box reduces the occurrences of users inadvertently installing code on their computer.” As I documented earlier, Windows Media Player 10 behaves properly. This is a bug and should be fixed.
-
In all versions of Windows, an attacker can misuse a feature of Windows Media Player 9 that is designed to provide information about licenses to the user. The HTML code called by WMP 9 opens in the Internet security zone. This is unsafe. Several years ago, Microsoft redesigned Outlook Express so that all code in HTML-formatted messages runs in the Restricted zone. They should do the same with Windows Media Player. This step wouldn’t restrict the functionality of informational messages or the Windows Media Guide, but it would eliminate the ability of attackers to exploit the connection between the browser and the player.
A reporter from ZDNet UK got a similar response from a Microsoft source:
"This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack," said Microsoft in an emailed statement.
"There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM."
But Microsoft didn't say whether Windows XP SP2 fully protected users from unwanted downloads.
"Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan's attempt to deliver malicious software," said Microsoft.
As I noted before, this is incorrect. The pop-up blocker and SP2’s Information Bar don’t work properly if Windows Media Player 9 is installed. People who have chosen not to upgrade to WMP 10 (which is classified by Microsoft as an optional update) are at risk.
I’d like to see a response from someone on the security team at Microsoft. I’m hoping that someone who truly understands this issue is already working on the fix.
Update: It appears that Microsoft may actually be working on this after all. CNET News reports:
A Microsoft representative said the software company was continuing to pursue the problem.
"We are concerned, because it is behavior inconsistent with what we would do with our DRM," said Mike Coleman, lead product manager for Microsoft's Windows client consumer division.
Microsoft is planning to release an update to the Windows Media Player that will shut down a file's ability to automatically pop up a Web page, unless the user turns that function on, a representative said.
Read additional comments by Eric L. Howes at Broadband Reports ("Blaming the User: MS & WMP Adware Installations") and Suzi at Spyware Warrior (“Microsoft’s Totally Inadequate Response”).
January 13, 2005
Longhorn to ship in May 2006?
Neowin has details on the current Microsoft internal schedule for Longhorn, the next major release of Windows. Their report says the first beta release is due on May 25, with a second beta on October 12. The internal schedules say the product will release to manufacturing on May 24, 2006, almost exactly one year after the first beta.
Take all the dates with a shovel full of salt, of course. But regardless, I know what I’ll be doing for about a year when I get back from vacation on May 23!
Update: Steven Bink has a slightly different set of dates.
Announcing the Apple iProduct
(Thanks, Gizmodo.)
How to completely eliminate tracking cookies
Some people seem really concerned about cookies. The worst offenders, they argue, are so-called “tracking cookies,” which supposedly allow companies like Doubleclick to track your movements on the Internet.
If you think this is a big deal, fine. You don’t need anti-spyware software to get rid of these cookies. Instead, take the following two steps:
- Delete all currently saved cookies from your computer. In Internet Explorer, click Tools, Internet Options and then click the Delete Cookies button on the General tab. In Firefox 1.0, click Tools, Options. Click the Privacy icon in the sidebar and then click the Clear button to the right of the Cookies heading.
- Specify that you want to block all third-party cookies. In Internet Explorer, click Tools, Internet Options. On the Privacy tab, click Advanced. Click to select the Override automatic cookie handling check box, and then click Block under the Third-party Cookies heading. In Firefox 1.0, click Tools, Options. Click the Privacy icon in the sidebar and then click the plus sign to the left of the Cookies heading to expand your list of options. Click to select both options: Allow sites to set cookies and for the originating web site only.
There. You’re done. You’re completely protected from “tracking cookies.”
But (I can hear you asking) what about first-party cookies? Well, if you’re visiting a Web site, they already have your IP address, and they have a record of every page you visit on their site and everything you type into a form. If you’re really that concerned about a Web site, you might want to avoid visiting it. But if you’re really worried about first-party cookies, open Internet Explorer’s Advanced Privacy Settings page and then click the Prompt option under the First-party Cookies heading. With Firefox, you can use an extension or set the ask me every time option. After you save these settings, you’re in complete control.
Here’s what your IE options should look like:
And here’s what Firefox options look like:
Now can we agree that there’s no need for an anti-spyware program to do something so simple?
Mossberg reviews Microsoft AntiSpyware
Walt Mossberg at the Wall Street Journal reviews the new Microsoft AntiSpyware program today. I disagree with several of his conclusions. Let’s start with one complaint where I think he’s absolutely right:
I found the program easy to use, though downloading it was a bit of a hassle because Microsoft tries to get you to verify that your copy of Windows isn't pirated, which can force you to dig up your Windows serial number. You can avoid this step and still download the program, but you have to pay careful attention to the download options.
I agree. The whole Genuine Windows program should be reserved for add-ons and fun stuff. Security updates should be available to anyone with as little hassle as possible.
The software offers two kinds of scans: a quick, five-minute version, and a longer version that took about half an hour on my test machine. But the scans missed some spyware found by [Webroot’s] Spy Sweeper. In particular, Microsoft missed "tracking cookies," small files deposited by Web companies, often without your knowledge or permission, that track your online activities. The Microsoft program deliberately doesn't look for these. Microsoft officials say they are concerned that some legitimate cookies, such as those that store Web-site login information, could be unfairly labeled as spyware. They promise to add tracking-cookie detection in the future.
That’s just wrong. As I’ve said before, cookies are not spyware, and I think Microsoft is making the right decision here. Ben Edelman, in a comment on the same post, agreed:
Absolutely agreed that cookies aren't spyware and shouldn't be detected or removed as such.
It's quite striking how badly other companies (even companies I generally admire, i.e. Webroot) have done with this issue. It seems like they've been stuck in competition with each other -- who can detect more stuff as "spyware" and make the issue sound bigger, perhaps for PR purposes. Certainly the Webroot surveys for Earthlink had this ring to them -- reporting millions of tracking cookies as if this told the world something about the spyware problem.
Major kudos to Microsoft for getting this right the first time, and for being an industry leader in doing so. Here's hoping the reviews praise this improvement.
The security companies have trained reviewers to think “more is better,” and this may take some time to overcome. I hope that Microsoft doesn’t cave on this issue just to avoid some unwarranted criticism.
Even worse is the way the program handles another spyware problem, the hijacking of Web-browser home pages and search pages. This is a spyware technique in which the home and search pages in a Web browser are replaced by pages selected by a spyware company, and it's nearly impossible for a user to restore his or her own selections.
The usual way of handling this, with programs like Spy Sweeper, is to detect the page changes and to restore the user's original choices. But the Microsoft program tries to replace the spyware pages with home and search pages from MSN, Microsoft's own online service. This smacks of the same kind of coercion the spyware authors are using.
Microsoft insists it isn't trying to drive people to MSN…
I discussed this problem in an earlier post. The code that Walt is complaining about is exactly what was in the original Giant AntiSpyware, and there’s a logical technical reason for it. (Remember, the Microsoft beta was released less than three weeks after the program was purchased, and there were two holidays in there.) So insinuating that this is devious behavior from Microsoft is unwarranted. Nonetheless, I expect that this feature will be changed in the final release. I would recommend that the program ask the user during setup to confirm that that the current home page is their preferred entry. Clicking Yes would write the value of the current home page to the Default_Page_URL value in the Registry
Not only that, but Microsoft AntiSpyware does nothing at all to protect users of the rival Firefox Web browser from home- and search-page hijacking. It detects and corrects such hijacking only in its own Internet Explorer Web browser. The company says it is trying to focus on things that affect "the largest number of customers," and it notes that the vast majority of users rely on IE. But this, too, smacks of favoritism toward Microsoft products.
Well, again, this is the original code from Giant Software, so it seems a trifle unfair to blame Microsoft. But tell me, has anyone seen a home page hijacker that works on Firefox? Is Walt asking for a solution to a problem that doesn’t exist?
Walt recommends Spy Sweeper. Sadly, I think the main reason is because its scan detects hundreds of tracking cookies and thus appears to be more aggressive. In my review of that program last year, I found that it actually tried to remove or disable completely innocent programs that I use regularly. A reader reported similar experiences; in fact, Webroot’s program actually disabled all access to the Internet for her. More (and more aggressive) is not necessarily better.
I’ll have more to say about cookies in a follow-up post.
January 12, 2005
Malicious Software Removal Tool
I’ve been getting a lot of search requests today for the new Microsoft Malicious Software Removal Tool. So here it is.
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.
Microsoft will release an updated version of this tool on the second Tuesday of each month. New versions will be made available through this Web page, Windows Update, and the Microsoft Download Center.
You can do a quick online scan at this page. You’ll need to download an ActiveX control or a stand-alone executable file to complete the operation.
Update for Outlook 2003 Junk Email Filter
Yesterday was Patch Tuesday, and of course you have Automatic Updates set to download Critical Updates for you. Right?
But if you use Outlook 2003 you might have missed this one, which isn’t delivered via Windows Update:
Update for Outlook 2003 Junk Email Filter (KB890854)
It’s a shame that Microsoft doesn’t provide any documentation of how these filters work. They do, however, seem to be updating more frequently now. Earlier updates were irregular (December 2003, March 2004). But the most recent two have appeared on Patch Tuesday: September 14, 2004, and November 9, 2004. This update is cumulative. If you skipped the previous updates, this one gets you completely up to date.
January 11, 2005
Crash!
So the CEO of a giant high-tech company gives a keynote address announcing some new products and his demo crashes. No, not that CEO.
Funny how this one didn’t get as much coverage as the one last week..
I'm unsubscribing from this feed, too...
I’ve decided to take all the Windows IT Pro feeds out of my newsreader. Why? Because they use the hideous IntelliTXT sponsored-link technology provided by Vibrant Media. Take a look at this post for an example. The green underlined words, which are designed to look almost exactly like hyperlinks, are actually ads. Hover your mouse over the link, even accidentally, and a pop-up box appears. Click one, and you visit an advertiser’s page in a new browser window.
Ugh. It’s deceptive and obnoxious. I’m not going to support publishers who use this technology.
Update: ActiveWin.com uses the same annoying ads.
Cable HDTV in Windows Media Center?
This little paragraph was dropped in casually in the middle of a write-up on the new Shuttle Media Center XPC at AnandTech:
The XPC is obviously designed for a more set-top applications and thus will also feature a cable card reader as well as HDTV output. The next version of Microsoft's Windows XP Media Center Edition due out in Q3 will support cable card and content protected HDTV content over digital cable services, making this device actually useful from a HDTV standpoint.
Kudos to Jason Dunn at Digital Media Thoughts for catching this one. Is it true? Ah, that’s another story, isn’t it?
Clean your screen
Is your monitor dirty? Here's an easy way to clean your screen.
(via J-Walk Blog)
January 10, 2005
Stupid spammers
Earlier today I was sorting through the Junk Mail folder for a Hotmail alias I rarely use and ran across yet another variation on the Nigerian scam e-mail. This one was pretty sleazy — the sender claimed to be a Christian preacher in Sri Lanka who knew a wealthy man who was killed in the tsunami but had left $8 million in the bank and … well, you know how the rest of it goes.
My favorite part, though, was the free Webmail service that this scammer had chosen. Do you really think a preacher would have an account at gayfetishpool.de?
Misplaced criticism
Joe Wilcox at Microsoft Monitor is unhappy about Microsoft’s attempts to steer people to its paid services. They’re practically guilty of shipping spyware themselves, he concludes, based on this experience:
I started up the Averatec 6100H this morning and got a warning that http://www.averatec.com was trying to change the default home page from http://www.msn.com. Thing is, the default had been set to averatec.com by the PC manufacturer. The warning sure as hell baffled me. Either Microsoft's software changed the setting to msn.com without asking or it was attempting to trick me into switching back to msn.com. Yes, trick. That's absolutely my interpretation of the wording, regardless of Microsoft's intentions.
Later on I checked the anti-spyware software log and learned that: "The user Joe Wilcox, has decided to allow the Internet Explorer Start Page URL change from its original URL of http://www.msn.com/ to http://www.averatec.com." Of course, the original start page was averatec.com and not msn.com.
Sorry, but the wording is confusing and presumes that msn.com was the default home page, which it was not. A PC manufacturer choosing its own home page on it computers is a fairly common practice, I might add. I'm stunned, simply because the tactic of confusing the user into agreeing to a home page change (a.k.a. highjacking) is a common tactic used by spyware. And Microsoft calls its software anti-spyware?
Sounds horrible, doesn’t it? That evil Microsoft, trying to fool people into changing their home pages to MSN.com. Except that’s not what actually happens when you try to change your home page on a computer with Microsoft AntiSpyware installed and configured with its default settings.
First of all, the behavior Joe describes was coded by the original developers of this program, the GIANT Software Company. I know, because I checked it out this morning. Blaming this behavior on Microsoft’s motives is misguided.
Second, this is a beta. Feedback like this goes into the product design.
Third, I think Joe misread this dialog box. I have my Internet Explorer home page set to My Yahoo, and I have Microsoft AntiSpyware installed. Here’s the dialog box I saw when I tried to change my home page:
The warning message accurately describes the current home page (http://my.yahoo.com) and the one I tried to change it to (http://www.bott.com/weblog). The reference to MSN.com appears afterwards and it is accurate, if you understand what the default home page is. On the Internet Options dialog box, there are three settings under the Home Page heading: Use Current, Use Default, or Use Blank. The default setting for all retail and OEM copies of Windows is MSN.com. In this case, it appears that the maker of Joe’s PC, Averatec, changed the Start Page value (which defines the current home page) but didn’t change the Default_Page_URL value. Both of these settings are found in the Registry as REG_SZ values at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
Not only that, but notice that neither of the options in the dialog box above will allow me to change my home page to MSN.com. If I click Allow, my home page gets changed to the value I chose (or to the value that a script or spyware program is trying to force on me). If I choose Block, the setting for my Home Page stays exactly where it is!
I don’t know if it’s just sloppy note-taking or what, but this is at least the fifth time in the last four months that I’ve found an error at Microsoft Monitor. I’ve sent e-mail to Joe on each occasion, and he’s corrected most of the errors, although I’m disappointed that he’s never acknowledged the input publicly. And because Joe has decided not to allow comments, it’s impossible to carry on any kind of dialog except through e-mail or (as I’m doing here) by providing corrections on my own blog. (At least one other Jupiter Research analyst, Eric Peterson, does allow comments.) [Updated: The default template on Jupiter Research blogs includes a link that reads “I welcome your comments,” but it just pops up an e-mail window. It appears that no analyst at Jupiter Research actually allows comments that appear on the same page as a blog entry.]
It’s hard to continue reading or recommending a source that regularly gets the details wrong.
From PowerPoint to your TV screen
My sister-in-law Teri asked last week if I knew how to get a PowerPoint presentation onto DVD. She had a 180–slide PowerPoint presentation (made by someone else for a friend's 50th wedding anniversary party), and they wanted to be able to pop a DVD into a player and watch the show on a big-screen TV.
I’ve written a few chapters on PowerPoint for various revisions of Special Edition Using Microsoft Office, but I’m far from an expert. I know that PowerPoint doesn't natively support any video formats, and I found an interesting discussion of the topic here. But aside from those leads, I was stumped. So I was glad to get the follow-up today:
Got the 50th Anniversary project done via...
- PowerPoint PPT to PPS (less memory use during screen capture)
- Screen capture w/ CapturePad shareware 14-day non-crippled tryout (600x800 at 30 fps)
- NeroVision Express to burn DVD Video w/Menu (It failed twice trying to burn directly from NeroVision Express, so had to burn to the hard drive first then copy via Nero Recode to DVD)
- GoVideo VCR/DVD Player to copy from DVD to VHS tape
This would have been much easier if the author had created the original slide show in MS Movie Maker! PowerPoint is a bitch to match audio to video timing. I had a lot of cleaning up to do to get rid of awkward transitions and I had to shorten one of the WAV files with Creative Wave Studio--which is kinda like cutting sushi with a hatchet.
There were no fancy slide transitions or sound effects used in this 20-minute presentation--just an approximate 6-sec transition between still photo slides and background WAV music files. I don't know how (or if) a fancy transition or effect would capture (or convert) to AVI--and I don't have time to test it right now.
I screen-captured presentation with CapturePad to AVI with both video and audio UNCOMPRESSED. (The WAV files were already compressed.) I also noticed that there is a HUGE color loss going from the computer screen to NTSC. I think attention should be paid to colors used (as we do with web page art) and saturation of photos should be pumped up. I also set NeroVision to the highest quality video configuration and configured audio to Dolby 2.0. Make sure that any MICROPHONES (like soundcard headset or other inputs) are turned off (both in soundcard and CapturePad), or CapturePad will over-dubb the audio track with background noise (like me kindly yelling at the dog to get out of the office). The 22-minute, 186-slide presentation w/6 audio files ended up as only 858Mb on DVD.
I'm a happy camper.
I’ll have to try this one of these days!
Another Firefox security issue
As Firefox becomes more and more popular, it faces more and more attacks from bad guys. A new report this morning claims that phishers have found a hole in Firefox:
A security flaw in the increasingly popular Firefox browser is exposing millions of users to phishing scams, security experts have warned.
Jakob Balle, security specialist at Secunia Research, said that the vulnerability in Firefox and Mozilla allows malicious hackers to execute phishing scams by spoofing the source URL displayed in the browser's Download Dialog box.
"The problem is that long sub-domains and paths are not displayed correctly, which can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box," he said.
A Secunia Research advisory stated that the "less critical" vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. It added that "other versions may also be affected".
Reportedly a patch is under development but isn’t ready.
How often should you reinstall Windows?
John J. Fried is a syndicated columnist for Knight-Ridder. In his most recent column, he offers a piece of popular advice that I think is completely misguided. In response to a question from a read who complains that his computer is slow, he writes:
Even if you treat your PC with kid gloves, delete temporary files of all sorts, defragment, uninstall programs rather than delete them, keep viruses and spyware off the system and update drivers and programs, it is still likely the PC will turn on you.
Endless wanderings on the Internet, the installation and uninstallation of programs and the addition and removal of devices, among many other things, take their toll on the Registry and other crucial files as unavoidable errors in them crop up and multiply.As much as you hate to hear it, what you should do every 12 to 18 months is wipe the record clean by reformatting the hard drive and reinstalling Windows and all your programs.
In fairness to Mr. Fried, he’s not the only one who believes this. For what it’s worth, I completely disagree.
If you’re experiencing a problem with Windows, there is likely a specific cause for it. Usually that cause is an unsigned driver or a program you installed. It might be an unrelated hardware problem. Whatever the cause, the best thing you can do is track down the actual cause of the problem so that you can fix it. If you simply blow everything away and start over, the most likely thing that will happen is that sooner or later (probably sooner), you’ll reinstall the driver or program that caused the original problem, and you’re right back where you started from.
The logical flaw in this advice is that installing and uninstalling software and devices causes “unavoidable errors” in Windows. No, it doesn’t. Installing a buggy driver (usually one that’s unsigned) can cause errors, as can poorly written programs and uninstallation routines that leave system files behind. But none of these errors are “unavoidable.”
January 09, 2005
Media Center 2005: Hit or miss?
Over at PaidContent.org, Jeremy Allaire sent in five predictions for 2005. This was the most interesting one, in my opinion:
-- Microsoft Media Center 2005 Will Be a Hit. Third times a charm, and Microsoft now has a very strong product in the market. The PC industry is putting real weight behind it as it allows them to have a "whole product" sale with their emerging base of LCD and Plasma TV's (higher margin), and lets them dabble in the content business (a breath of fresh air from the cut-throat PC world); the CE industry is shipping dozens of connectors, extenders, and portable devices that support it, and the base of content companies getting behind the platform is impressive. Best of all, the product is really great, and the tens of millions of consumers who go out ot buy new PCs will be tempted by the marginal incremental cost to get the promise of whole house convergnece on the cheap. Yes, there are problems and issues with the product, but the list is short and Microsoft will nail them down before the end of the year. This will not be a product that is "pushed", but one that is pulled as consumer word-of-mouth helps fuel sales.
I think he’s right. I’ve read a lot about the cutthroat competition between TiVo, the cable companies, satellite providers, and Microsoft (not to mention Apple and Linux-based PC solutions). But the salient fact is that this market is going to grow explosively, which means that even a company that loses market share could still find itself growing.
Should be an interesting year.
January 07, 2005
Dolby goes overboard
Digital Media Thoughts has word on a new announcement from Dolby Laba at CES:"Dolby Digital Plus builds on the original Dolby Digital specifications, allowing for higher bit rates and more channels. Dolby Digital Plus has a maximum bit rate of 6mbps, and support for 13.1 channels. In comparison, Dolby Digital caps out at 640kbps and 5.1 channels. So Dolby Digital Plus essentially provides 10 times the bandwidth of the original Dolby Digital. The new format also allows for extremely low bit rate multichannel sound for streaming on the Web or over the air. The benefits of the Dolby Digital Plus codec include transient prenoise processing, enhanced channel coupling, adaptive hybrid transform processing, and channel and program extensions."
I live in a ritzy part of town, and I know a few folks who have big houses. But I can't imagine any home theater that needs thirteen channels of sound. I'm not even sure my local multiplex has any theaters that need that many channels.
I can only imagine how deafened I would be if I were walking around the show floor at CES.
MCE Extenders reviewed
AP Technology Writer Matthew Fordahl has a thorough review of his experience with a Media Center Extender today.He describes the benefits well and nails the one big drawback of these devices: They do not work well with wireless 802.11g network connections (although it's possible that a dedicated 802.11a connection would suffice).
His other criticism, that the extender doesn't play protected content from HBO and other sources, was true last month but has since been fixed with a downloadable software update. (Update: Ryan, in a comment, notes this isn't true for Xbox extenders. He's right. This support page has links to the updates for Linksys and HP extenders and promises that an Xbox update will be available this month.)
Good reading, if you're thinking of getting one of these things.
Update: I missed the same writer's longer, more detailed (and generally quite positive) review of HP's Media Center PC. The good news is that both of these articles will probably appear in a lot of newspapers around the United States and encourage people to take a look at this technology.
January 06, 2005
MS antivirus tool on the way?
In the comments, Glenn points to a section of today's press release that I just plain missed. Microsoft Announces Availability of New Solutions to Help Protect Customers Against Spyware and Viruses:In January 2004 Microsoft released a series of removal tools, each of which targeted a single virus or worm and some of its variants. Collectively, these tools augmented existing antivirus protections by scanning more than 55 million PCs worldwide for viruses such as Blaster, MyDoom and Download.Ject. The new Microsoft Windows malicious software removal tool consolidates these existing removal tools into a single solution. The tool will be updated on the second Tuesday of each month as part of Microsoft's monthly software security update process to respond to new viruses, worms and variants. The Microsoft Windows malicious software removal tool will be offered in the following ways:
- As a high-priority update through Windows Update and through Auto Update for the more than 112 million Windows XP-based PCs configured to receive priority updates automatically
- Through a simple, online interface.
- For larger corporate customers, a download through the Microsoft Download Center
Available at no charge, the Microsoft Windows malicious software removal tool is designed to augment traditional antivirus solutions to provide more complete protection against viruses, worms and variants. As with Microsoft's earlier removal tools, the new solution incorporates the knowledge and technology gained through Microsoft's acquisition of GeCAD Software in 2003.
Hard to tell what this really means. It isn't exactly an antivirus program, but it sure sounds like the first step on the road to one.
Shouldn't everyone be spyware-free?
Joe Wilcox is probably going to think I'm stalking him. I'm not, honest. It just so happens that his beat is identical to mine, so we cover a lot of the same topics. In a new post this afternoon, he reports on evidence that Microsoft may soon restrict access to its new AntiSpyware program to those with "genuine" copies of Windows. Joe writes:Microsoft pushes product validation before users can get the software. In September, Microsoft started a trial for the Windows Genuine Advantage program, which seeks to curb piracy. The program, which is not yet officially launched, restricts some downloads to users with validated copies of Windows.
So far, at least, Microsoft isn't restricting access to this beta to users with activated copies of Windows. Unfortunately, Microsoft is doing a lousy job of communicating their policy. When you go to the download page, you have only one choice. Read the wording carefully. Under the heading, "Validation Recommended," it says "This download is available to customers running genuine Microsoft Windows." The word only is not in there.
When you click the Continue button, you arrive at a page with TWO choices. You can choose to validate your copy of Windows (using an ActiveX control if you use IE, or by downloading and running a small executable program if you use another browser or prefer not to allow ActiveX downloads). If you don't want to validate your copy of Windows, you can choose "No, do not validate Windows at this time but take me to the download." Anyone can choose that option and get to the download page.
I agree with Joe on the main issue:
I fully support Microsoft's right to protect its software from theft. But I don't see how restricting a security software download is consistent with Microsoft's often-stated goal of security being the company's top priority. I would argue that Microsoft might even be doing itself more a disservice than its customers.
Security should not be an add-on feature. It should not be restricted to people who are willing to jump through a hoop to prove their copy of Windows is "genuine." And it should not cost a dime. Making every Windows computer safer from spyware and viruses makes the entire Internet safer. Creating a link between new security programs and anti-piracy efforts is contrary to the goal of ensuring that all Internet users are secure. That is the ONLY way to look at this issue. Will whoever is working on this program at Microsoft please get that message?
MS AntiSpyware: First impressions
OK, I uninstalled my old evaluation copy of GIANT AntiSpyware and installed the new Microsoft version. As I suspected, it's quite similar. Two noteworthy changes:- In the Advanced Tools section, the System Inoculation item is gone. This appears to be taken care of during initial setup and in the Real-Time Protection settings, so it doesn't seem like a great loss. The File Shredder utility is also missing in this build.
- The software doesn't scan cookies or report "tracking cookies" as a spyware threat. The summary screen still shows Cookies as an item on the results list, but I can't find an option anywhere that allows me to tell this program I want to scan cookies, and although there is a Cookies entry in the Help file, it points to a topic that doesn't mention cookies at all. I believe that that text was removed from the Help entry but someone forgot to update the Help index.
Removing cookies from the list of things to be detected as spyware is a good move, in my opinion. As I've noted before (here and here and here), cookies are not spyware. This software appears to be aimed at removing browser hijackers, pop-up generators, adware, phony search tools, and other forms of deceptive software. Cookies don't belong in that category. Kudos to Microsoft for making this fundamental change right away.
Update: Microsoft AntiSpyware runs only on Microsoft Windows 2000, Windows XP (including Tablet PC and Media Center Edition 2005), or Windows Server 2003. If you're using Windows 98 or Windows Me, you'll have to stick with third-party solutions.
Further update: Don't install this beta if you are running Windows Media Center Edition 2005 and you have a Media Extender. The "Known Incompatibilities" include this one: "If you install Windows AntiSpyware (Beta) on a computer running Windows XP Media Center Edition 2005, Windows Media Center Extender will not be able to establish a remote connection." Glad I read the documentation first!
Gates at CES: a wrap-up
I watched the Bill Gates keynote at the Consumer Electronics Show last night. Well, most of it, anyway. The high-speed feed had a little trouble keeping up with the demand, so I occasionally lost the picture. But I saw a few things I liked, and Conan O'Brien was a good foil for Gates, better than Jay Leno.Joe Wilcox at Microsoft Monitor has the best high-level summary of what the various announcements all mean. Read Microsoft CES: Clarifying the Message for the details.
One quibble with Joe's otherwise-excellent report. He writes, "Apple's iTunes supports MP3 better than WMP 10, which requires third-party MP3 encoder support to rip to the format.”
This is not true. A basic installation of WMP 10 includes full support for the MP3 format at bit rates of up to 320K with no additional software required, either from Microsoft or third parties. The default format is WMA, but it takes one click in a dialog box to choose MP3 as the default format.
Update: I sent a note to Joe, and after we exchanged a few e-mails he edited his original report.
By the way, Microsoft announced that there have been 90 million downloads of Windows Media Player 10 in less than four months. That's a staggering number. To put it into perspective: The folks at Mozilla.org are justifiably proud that they had 15 million downloads of Firefox in just under two months. And no one is questioning that Firefox is an enormous hit and a big story.
Microsoft AntiSpyware beta available now
The beta version of Microsoft Windows AntiSpyware is available now. I'll have more comments after I install it. Given the quick turnaround, I expect it to be essentially identical to the GIANT AntiSpyware product, with the GIANT logos replaced by Microsoft branding. (And who wants to bet that they missed at least one?)January 05, 2005
Seeing the spyware forest for the trees
Over at Broadband Reports, Eric L. Howes has some more details on the issue of "poisoned WMA files" that I've been writing about for the past few days. (See this entry and the follow-ups here and here.) His post, WMP Adware: A Case Study in Deception is enlightening for its depth, and it gives a real insight into how this sort of infection lands on a user's machine. I agree with most of Eric's conclusions, but I think he's missing the forest for the trees in a few instances. Let's start with this paragraph:Contrary to Ed Bott's assertion that this is not a "new and horrifying security risk" the installation practices that users are forced to deal with when attempting to play these rogue Windows Media Player files are so confusing, deceptive, and coercive that regular users are at high risk for unwittingly consenting to the installation of spyware and adware, with potentially dire consequences for their computers, to say nothing of their privacy and security.
My statement that this is not "new and horrifying" reflects the simple reality that these are the exact same techniques that purveyors of crapware have been using from Web sites for years. The ActiveX dialog boxes Eric posted are identical in every respect to those that users see when they visit Web pages that push the same software. This is merely a new variation on an old theme.
When I read the original PC World article, which was long on breathless assertions and short on detail, I was worried that this was a "zero-day exploit" that used a previously unknown vulnerability to install software on a user's computer without any action required on their part. A reasonable person reading the original article might assume that their machine could get infected simply by playing a music or video file. Similar exploits have happened in the past, and it would be truly horrifying if this was new exploit that could sneak past even a sophisticated user. But that's not the case. Everything in this exploit could just as easily be accomplished (and in fact is being done every day) by Web pages that open the exact same ActiveX dialog boxes. I hate the fact that these programs exist, and I'm certainly not defending them. But I don't see much that's new here.
Eric goes on to write:
The installation practices combine and exploit a dangerous combination of circumstances and qualities to bamboozle users into believing that they are consenting to the installation of software required to view media files. Among those circumstances and qualities are:
- a legitimate, required Windows Media Player "Security Upgrade" that conditions users to expect the installation of required software;
- ActiveX Security Warning boxes that users find inherently confusing because of the vague and inadequate information provided;
- ActiveX installation prompts for software deliberately named to give the impression that it is yet another required Windows Media Player upgrade;
- repeated, insistent pop-ups designed to coerce users into consenting to the installation of software;
- murky, confusing End User License Agreements that fail to disclose the installation of third-party software as well as the functionality and privacy practices of that software.
With one exception, every item on that list describes exactly how spyware makers push software onto a naive user. The first item on the list is unique to Windows Media Player, but this is a dialog box that appears one time only. As Eric notes, the social engineering tactics that these folks are using are deliberately designed to fool users into thinking that the programs are required updates.
Eric continues:
What we need from Microsoft is a swift fix for the problems summarized here, not attempts to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts. As I stressed in an earlier post here at DSLR, it is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.
Just for the record, I am not trying to minimize this, nor am I blaming this on the user. In fact, I have specifically said the exact opposite. My original remarks were directed at people who regularly visit this site and who read the forums on Broadband Reports. Those people are most likely to be expert users who would be deeply suspicious of dialog boxes like these and who are likely to be running modern, fully patched operating systems. Sadly, they're the minority in the larger computing world.
The reason that spyware and viruses are epidemic is that older versions of Windows make it easy for people to push this crap, and as Eric correctly notes, the confusing interfaces make it easy for naive users to be fooled by basic social engineering.
I think it's important that we focus on the forest, not the trees. The biggest problem of all right now is finding a way to protect users of older Windows versions from agreeing to this stuff, regardless of where it comes from. If you fix the ActiveX problem in Internet Explorer, you fix it in Windows Media Player. As I noted, the security features in SP2 worked to prevent this exploit from confusing innocent users. There needs to be an equally effective way to make that protection work for users of older operating systems.
Eric says I'm "blaming the user" because I wrote this:
But really, isn't that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? ... But how likely is it that the type of user Suzi is describing will download and install that patch?
I stand by that remark. Eric is demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try, many people simply don't install patches after they're released. I get virus-infected e-mail messages every day. In most cases the people who are infected with those viruses would have been protected if they had installed a patch that was released three or four years ago. If someone hasn't installed that patch, why would they install a new one to fix this vulnerability?
As I've said since Day One, I believe that this is a security flaw and that Microsoft needs to issue a patch to Windows Media Player 9 and release it as a Critical Update. I would hardly call that an "attempt to minimize and pooh-pooh the risk."
I have also reported this issue to security@microsoft.com. That's an important first step in getting a patch written and released.
January 04, 2005
Firefox tweaks: one size doesn't fit all
I've seen a bunch of links to various tweaks intended to make Firefox run faster. Boing Boing probably spread this go-faster tweak for Firefox farther than anyone. In addition, Brian Livingston published a lengthy Secrets of Firefox 1.0 article in his Windows Secrets newsletter last month.I've been writing about various Windows speed-up tricks through the years, many of which are very popular and either misleading or flat-out wrong. Often, someone who follows all the advice in one of these articles winds up with a system that runs slower and is less stable than it was before.
That may well be the case with these Firefox tweaks as well. Brian is a reliable source of information, and I trust his advice. I also believe him when he writes:
The most sought-after performance improvements in any browser will always involve how quickly it downloads and renders Web pages. The good news is that Firefox (which is already pretty fast in its default configuration) includes numerous about:config settings that can improve the downloading and display of content. The bad news is that the optimum settings will differ from machine to machine, and there's no consensus on what they should be.After extensive research, I haven't found a utility or even a well-tested explanation that can guarantee the optimum settings for any particular Windows scenario (Windows 2000 vs. XP, DSL vs. T1, etc.).
There are scores of Web sites that speculate on configuration settings that are said to speed up the browsing experience in Firefox. But these sites largely don't show that they've done adequate testing of the alternatives, much less explain how such tests might have been conducted.
Asa Dotzler of Mozilla has written a cautionary note about some of the speed-up tips going around. He says something very similar:
Just note that what works for one person/system, may not work for another.Yes, there are tuning change you can make (even at compile time, see Moox' optimized builds) that will dramatically alter the performance characteristics of Firefox. Feel free to experiment, but remember that most of the defaults are defaults for a reason. If your browser starts misbehaving or web sites look broken, it might be worth going back to default settings.
That seems like a good opportunity to mention what I consider as one of Firefox's greatest features: You can create and copy profiles anytime so you can test settings and extensions. If you're trying out some odd tweak or extension, keep a copy of your old profile. If the tweak doesn't work or the extension causes problems, you can quickly return to your old profile.
Windows XP users can open the Firefox Profiles folder by clicking Start, then Run. In the Open box, type %userprofile%\Application Data\Mozilla\Firefox\Profiles (include the percent signs, which automatically take you to your personal data folders). Make a copy of the profile folder you see there, which consists of a random eight-character string and the name of your default profile. You can then make changes to your current profile; you can undo those changes by closing Firefox and restoring the backed-up folder.
To create a new profile, use the well-hidden Profile Manager. Use the Run dialog box again and type firefox.exe -profilemanager as the command.
You can use the Profile Manager to switch between profiles. I actually keep several profiles - one for everyday use, one for some special-purpose tasks that require extensions I don't normally use, and one that is completely clean, so I can test pages without fear that an extension is distorting my results.
Microsoft's secret security plan?
Mary Jo Foley at Microsoft Watch has an interesting report on a rumored security subscription service from Microsoft, code-named "A1":Microsoft's anti-virus/anti-spyware strategy is taking shape. Sources say Redmond's prepping a fee-based bundle, which could go beta soon.Publicly, Microsoft continues to be cagey about packaging and pricing plans for its anti-spyware and anti-virus solutions. But privately, Microsoft has begun informing partners of its plans for a security subscription service code-named "A1," according to developers who requested anonymity.
Microsoft bought anti-virus vendor GeCAD in the summer of 2003, and anti-spyware maker Giant Company Software last month. As to how it plans to deliver these technologies, Microsoft has declined to give specifics. How/when/if it will repackage GeCAD's technology remains uncertain. Ditto for Giant's -- although according to the Windows enthusiast site Neowin, Microsoft is expected to field its first anti-spyware beta based on Giant's technology this week. Neowin said the anti-spyware beta is code-named "Atlanta."
Microsoft officials have said the company is planning to make some form of its anti-spyware product available as a free tool. But that isn't the ultimate plan, partner sources said.
Well, I've said it before and I'll say it again: Microsoft should make this service as powerful as possible and not charge a dime for it to anyone. It's part of the cost of doing business. Selling security software is ethically wrong for two reasons: 1) It involves making a conscious decision to expose some of your customers to greater risks than others, based on their ability to pay; 2) It encourages the security software vendor to overhype threats to encourage people so they'll be stampeded into paying up.
I'm sure someone at Microsoft is saying something like, "Well, we'll provide a free security offering that will provide basic protection to everyone, and we'll just charge extra for bells and whistles." That's nonsense. Security should be considered a core feature, not an add-on.
Spread the word. Make some noise. Now is the right time to convince the folks who are making these decisions to do it the right way.
Windows Media Player secrets
Mike Williams explains the mysteries of Windows Media Player Artist fields:WMP gives you three primary fields to work with for musical artists: Album Artist, Contributing Artist, and Composer. While functionally different, successive versions of WMP have hopelessly complicated how these are presented to the user. In v10, the Library has a tree associated with each, whereas v9 only exposed a [Contributing] Artist tree.
I had figured out some of this stuff during the writing of Windows XP Inside Out, Second Edition (when WMP10 was still in beta), but this post taught me several really interesting things I didn't know. If you use WMP and you have a large media library, this is a must-read.
I discovered Mike's blog thanks to Matt's wiki. Isn't the Web a wonderful thing?
File association fixes
You install a program. You decide you don't like it. You uninstall it. But it changed your associations for a whole group of files, and now your original program doesn't work. What do you do?Visit Doug Knox's site and pick one of these handy-dandy downloadable Windows XP File Assocation Fixes. He's got 24 in all, from Batch Files to Zip Folders.
This also comes in handy if you inadvertently make a wrong choice when using the File Types tab on the Folder Options dialog box.
January 03, 2005
Comcast's new HD-DVR
Just before the holidays, Matt Haughey had some first impressions of Motorola's serious looking DVR, which is now rolling out to Comcast users. In a fresh post today, he has designer James Duncan Davidson's first impressions of the unit and links to a screenshot of the unit in action.Only 15 hours of HD recording? Only 60 hours total? That would be a deal-breaker for me, even if the interface looks way better than the horrible Scientific Atlanta software.
I've ordered a Fusion HDTV card for the Media Center PC and will be experimenting with over-the-air HDTV. (They say it supports MCE 2005.) If it works, the Cox/SA box is going back...
MCE resource wiki
Phat Matt (Matt Fletcher) has created an MCE wiki (a collaborative, community-based collection of content and links). You can view it here: MCE 2005 - Windows Media Center Edition 2005 Resources.Because it's a wiki, anyone can add or edit content. Cool idea.
Still more on WMA and spyware
Andrew Clover adds a comment to my original post with some interesting observations. Worth reading.One correction to Andrew's note. He writes:
I did get one ActiveX download box from MS for the DRM stuff immediately prior to the two bogus downloaders, which looked almost identical.
That's not an ActiveX download. That's an automatic update from Windows Media Player. It's not served up as HTML, and it looks completely different. Yes, a user (even a sophisticated one like Andrew) may be confused into thinking this is the same thing. But ultimately, IMO, this is the saving grace for Microsoft.
Because Windows Media Player has an auto-update feature, Microsoft should release a WMP patch that disables all ActiveX functionality in the instance of Internet Explorer that is hosted by the License Acquisition dialog box. They should then push this patch out as a required update via Critical Updates and through the auto-update feature in Windows Media Player. That step would go a long way toward solving this problem.
Update: In a comment, Andrew insists that the DRM update looks exactly like the spyware installers. I went back and snapped some screens so you can compare. I've got the details in the extended portion of this post.
In both cases, this prompt for an update appears the first time you try to play a DRM-enabled Windows Media file. Here's the one from a box running Windows XP with SP2 and WMP 10:
And here's what you see if you're running Windows XP RTM ("stock") with Windows Media Player 9 version 8, the basic version included with the original release of Windows XP:
Compare those with the images in my original post of the spyware installers.
The DRM updates are actual Windows dialog boxes with buttons that link to Microsoft Web pages. The installers are HTML-based. I can see the difference, but I'll concede that if a sophisticated researcher like Andrew has difficulty distinguishing them, there's a problem.
January 02, 2005
More on "poisoned" media files
In a comment posted to my earlier post on "poisoned" Windows Media files, Ben Edelman offers the sort of excellent counterpoint you'd expect from someone who is not only attending Harvard Law School but also studying for a PhD in economics at Harvard:I don't think it's right to say the license agreement is "quite clear on what [users] would get." Certainly the license never says anything like "this program will install 30+ other programs from third parties, and clog your registry with tens of thousands of new entries."
Fair enough. My comments were not in any way meant to let the scummy purveyors of this crapware off the hook. My intent was to indicate that a security-conscious individual who follows the links in the installation dialog boxes will see plenty of stuff to raise red flags.
Update: I went back and read the terms of service for iSearch and iLookup, which was the second module installed using this file. The terms of service specifically say: "...you understand and agree that the Software may, without any further prior notice to you ... automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction." (This doesn't excuse the actions of the purveyors of this crapware, but any aware user will know exactly what he or she is getting.)
Ben's absolutely right that the people who are behind these add-ins are preying on ordinary users with a wide range of tricks. Sadly, I've seen all these tricks used before, but that doesn't make them any more acceptable here. I agree completely with Ben when he writes:
I think Ed gives too little weight to the especially deceptive circumstances of a software installation prompt shown when users try to watch a video. For one, legitimate media players actually do use these prompts to install necessary updates (i.e. the latest version of Macromedia Flash). In addition, the unusually misleading (purported) product name and company name make it particularly easy to be led astray here. Users deserve better.
I can end this post on a positive note, by the way. After I read the most recent update to Ben's test report (including a link to this post and a discussion of my findings), I decided to carry the test one step further. I took a deep breath and did what a naive, foolish user would do: I clicked Install when presented with the first deceptive spyware prompt. And then for good measure I clicked Install when prompted to install the second spyware program as well.
How bad was it? Surprise! My test PC is running GIANT AntiSpyware, which promptly blocked the nasty program from installing with a stern warning.
I clicked Remove, and a subsequent scan showed that no spyware -- zero -- was installed on this computer. I had no unexplained pop-ups, my searches went to the place they were supposed to go, my home page was unchanged, and a scan of the firewall logs showed no suspicious activity. (Curiously, the SpiderSearch program was apparently not installed at all, and the iLookup module was blocked. I don't know if this is the one that so throughly polluted Ben's test computer.)
Last month, Microsoft purchased the company that makes GIANT AntiSpyware and announced plans to release a free public beta of the Microsoft-branded version of this program later this month. They also announced a new set of strategic initiatives to reduce the spyware threat. Based on my experience, they're going in the right direction.
Update: Suzi at Spyware Warrior has some comments on her blog as well. Some interesting food for thought, but this line struck me more than anything:
I installed the same WMA file on an old Win ME box with no protection except AVG free and the free version of Zone Alarm.
She goes on to describe the disaster that befell that computer. But really, isn't that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? Spyware is an epidemic now precisely because it is trivially easy to install it on that type of computer.
Don't misunderstand what I'm saying. Microsoft can and should patch Windows Media Player (9 and 10) so that it rejects all ActiveX controls. Period. It should push that patch out as a Critical Update. But how likely is it that the type of user Suzi is describing will download and install that patch?
"Poisoned" Windows Media files: more details
In an earlier post, I pointed to the fast-spreading but suspicious story alleging that a flaw in WMA files can plant spyware on your computer. This is a follow-up.In the extended portion of this post, I provide details and screen grabs. I'm indebted to Eric L. Howes for his assistance. Thanks to Ben Edelman for posting a detailed report on his experiences with earlier operating systems and to Andrew Clover who provided a sample file that ultimately made its way to me.
Here's a quick summary of what you need to know:
- The PC World story contained several errors and some misleading statements.
- I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.
- The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
- The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.
- You are most likely to acquire one of these "poisoned" WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.
- If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.
- If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn't test this scenario.
- Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. [Update: A later update to WMP 10 changed this setting so that it now provides an extra warning before displaying the license acquisition dialog box.]
I copied the test file, which is a file in Windows Media Video (WMV) format, to two test systems. The actual content claims to be a porn file, which no doubt ensures that it will be widely spread. I have read reports that the same technique is used in Windows Media Audio files as well, and from a technical point of view this is absolutely true.
When you first try to play the file, WMP tries to acquire a license from protectedmedia.com (which is apparently a third-party licensing service designed for indie media providers to license content without having to own their own license server). As part of that action, it tries to load a popup and install an ActiveX control.
On a system with SP2 and WMP10, all the security features kick in immediately. Both of these actions are blocked by the security features in SP2. The Information Bar appears in the License Acquisition dialog box (which is a hosted instance of Internet Explorer). Here's a screen shot:
Note that this dialog box is actually a hosted instance of Internet Explorer. See the Information bar at the top? That's your sign that the popup and the ActiveX program has been blocked. The image in the dialog box is a Flash animation running on a Web page at protectedmedia.com. (You could bypass all this nonsense by just clicking the Play button at the bottom of the dialog box.) If you click the Info Bar, you can tell it to allow ActiveX programs to be installed. If you do that, a browser window opens with a pornographic Web page in it and you get a Security Warning dialog box where you can choose Install or Don't Install (the default is Don't Install). In this second dialog box, the Name of the software is listed as "You must agree to our Terms and Conditions." When you click the link attached to that text, you go to a Web page that includes the Terms of Service for the software (SpiderSearch). It is digitally signed by the developer, Ultra Web Host LLC. If you click the link to read the terms of service, it clearly says it's going to show porn ads on your computer.
Notice how the text tries to trick me into installing this software by claiming to be a "required update"? That's the oldest trick in the book and one that SP2 has specifically been designed to avoid. (Remember that the only reason I am seeing this message is because I authorized ActiveX installations via the Info Bar.) I clicked Don't Install and saw another message that a pop-up had been blocked. It then prompted me to install a second ActiveX control. This was another spyware program, iSearch. Again, I was presented with a security dialog box where I could choose Install or Don't Install. The link to the terms of service called it a "Required Media Player Version 9 Browser Update" - a little social engineering. Clicking that link led to a page that was quite clear on what I would get:
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it's partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.
The security features in SP2 worked. All pop-ups were blocked. To install the spyware, I would have to first click the Info Bar and allow ActiveX controls to be installed from that page. If I did that, I would then have to click Install on two separate dialog boxes, where I would have an opportunity to read the terms of service. A user who tried to play this file would have to blow past a lot of pretty serious warnings, and you would have to click several buttons that pretty clearly say you're installing software, and the terms of service are pretty clear about what you're getting. It's worth noting that these are signed programs. If they were unsigned (I've never heard of a virus writer who has gotten a software-signing certificate that any version of Windows would trust) they would be rejected automatically and you would not be presented with an opportunity to install them. Anyone who would go past all these roadblocks has probably already been hit by every form of virus and spyware known to man.
What if you have never upgraded to Windows Media Player 10? With the default version of Windows Media Player 9 Series on Windows XP with SP2, the end result is similar but there's a crucial difference: the Information Bar doesn't block the attempt to install the two ActiveX controls. Instead, after I double-clicked the file and the License Acquisition dialog box appeared, I was presented with a Security Warning dialog box for the first ActiveX control. Again, I had to choose Install or Don't Install, but this choice shouldn't have been presented to me at all. After I clicked Don’t Install, the second ActiveX dialog box appeared. When I then clicked Don't Install, I got three pop-ups and the clip began playing. These pop-ups appear regardless of SP2 pop-up blocker settings. (I believe the pop-ups are directly related to actions in the license acquisition process. One is associated with each ActiveX control and one is associated with the clip itself.)
It appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2. However, the user still has to click the Install button to install the spyware, and the links to terms and conditions are all there. Nothing is installed automatically.
Initially, I thought that disabling the option to acquire licenses automatically would solve this problem. (In Windows Media Player, you do this by clicking Tools, Options. Click the Privacy tab and then clear the Acquire licenses automatically for protected content check box.) However, further testing reveals that this is not the case. Because these files are tagged as needing a license, the player is going to try to go out and get one. The whole point of this exploit is to bring you to a Web page, so the license is a red herring. In fact, a few seconds ago when I tried to acquire a license, the Flash file disappeared and was replaced with an "adults only" static image. If this were a reputable company, the License Acquisition dialog box would contain legitimate details about the track and the license you just acquired, such as when it expires or how many times you're allowed to play the clip. [Update: A patch to Windows Media Player 10, released approximately a month after this report, changed the behavior of this option and does provice an extra warning before displaying the license dialog box.]
See how this dialog box tells me I've acquired the license and I can just click the Play button?
I don't see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX "push" installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn't fall for this stuff.
Update: For the most recent information on this issue, see the follow-up here.
MCE plug-ins
If you have a Media Center PC (or if you're thinking about getting one), bookmark mcesoft.nl:Media Center Plug-ins are little programs that give new possibilities or expand existing functionality to your Windows XP Media Center Edition. Many programmers have made and are still making these Media Center plug-ins to make features available which aren't there when you have a Media Center "out of the box" This goes from features like a system for categorising your DVD's and Movies complete with descriptions, actors and director info to features like having your local current Weather situation and forecast available, but it also includes the possibility to listen to or watch online media or the possibility to edit or compress recorded television and make a DVD of it. This site is dedicated to those plug-ins and we will try to give you as much info as possible about them.
I just installed the latest version of MCEWeather. Excellent, and it works with my Media Center Extender as well.